The Supreme Court of Canada released its decision in Wakeling v. United States on Friday, adding another picket in the progressive hedging-in of intelligence practices by law. In my view, the case has serious implications for CSIS (and potentially CSEC) international intelligence-sharing, to the point that conventional practices in the area are now constitutionally doubtful. Placing those practices of firmer constitutional footing is a reasonably straightforward fix. The question in my mind is whether the government will use the opportunity presented by Bill C-44, amending the CSIS Act, to preempt the inevitable next generation of constitutional challenges. Or alternatively will it follow what appears to be its standard practice of waiting until matters become so untenable that a legal fix is practically dictated to it.

It's worth reading the whole thing.

One question identified by Forcese is the degree to which CSE's existing procedures for "minimizing" Canadian identity information may help to fulfill the requirement for the protection of privacy in information-sharing.

A wrinkle for CSEC would be that intercept of Canadian communications under its independent, foreign intellignece mandate is supposedly done incidentally, and I believe that the Canadian information is then "minimized" to remove identifying information. If only minimized data is shared, it may be that section 8 privacy interests are not triggered by the information sharing in the same way as they are by the actual collection. So the CSEC discussion on section 8 and its application to intercept sharing would be more complex

This is a good point.

The CSE Commissioner has confirmed that "CSEC suppresses Canadian identity information in what is shared with its international partners."

But there are two points worth noting about this "minimized" information:

First, CSE retains the original, unminimized information in its databases, and well-established procedures exist for customers, including foreign partners, to request and subsequently receive the original identity information as long as they can demonstrate a need for the information that meets CSE's criteria for providing it. Those criteria are, of course, secret, so it's impossible for the public to judge their adequacy.

It is those procedures that will determine in the first instance where CSE draws the line between privacy protection and intelligence-sharing.

Second, in many cases it may be possible for customers to circumvent minimization by unminimizing information on their own, through analyzing context information in the data, comparing intercepts to information already acquired by the customer itself, examining related metadata, or performing other kinds of analysis. De-anonymization of supposedly anonymized data sets is an area of increasing concern. This possibility suggests that minimization alone, although undoubtedly a very useful strategy for privacy protection, may not be enough to ensure sufficient protection.